The Commonwealth Bank of Australia - sickness or symptom?

When the Commonwealth Bank of Australia (CBA) story first appeared, I instructed World Money Laundering Report that we should not become involved in what would inevitably become a frenzy of speculation and ill-informed comment as consultants (of which I am, obviously, one) and media outlets vied to benefit their own profile, and to get website visits, while the story was hot. I wrote what amounted to a placeholder article .

In that article "Commonwealth Bank : "53,000" breaches of money laundering requirements," which WMLR placed in its publicly accessible sister BankingInsuranceSecurities.com at https://www.pleasebeinformed.com/publications/BankingInsuranceSecurities..., we said

"This is automated banking and almost nothing happens "under eye."

"We think, when more information is made available, that we will hear that the monitoring software was not properly coded and that the bank abrogated its responsibility in favour of a tech-only "solution."

"It is already known that there was data available that indicated suspicion but it was not properly analysed and/or acted upon."

We were right. The ATM software people say that the data they produced accurately identified the reportable transactions but that somewhere, after their responsibility ended, the data did not reach, or was not acted upon by, those responsible for reporting.

But that, it is now becoming clear, is not the root cause of the problem.

Ever since 1994, I have been arguing until I am blue in the face that the reason counter-money laundering systems fail is, primarily, due to the fact that main boards do not consider financial crime risk management, and money laundering risk management in particular, to be a main board responsibility. It happens somewhere in their organisation but they neither know nor, in some cases, care where. It is a legal function? Compliance? Risk Management? Internal Audit? Oh, there's training involved, is it an HR function?

In the mid 1990s, I was met with astonishment when I said money laundering compliance and risk management should be a board function. One large insurance company appointed the CEO's secretary as MLRO "because it's all paperwork, isn't it? " A bank appointed a junior clerk in accounting "because it's got to do with money."

In October 2001, when the USA PATRIOT Act was awaiting an in-force date, my warnings as to the risks of foreign banks dealing in US Dollars via the Correspondent Banking system were not merely ignored, they were heavily criticised by the big accounting and law firms.

During the past decade, I have repeatedly warned that the reputational risk that, in the mid 1990s, we all thought companies would face if they were found to have been involved in money laundering had been wrong as to the type of risk: in fact the risk is that when one regulator finds a shortcoming, other regulators, domestic and foreign, will pile in with their own investigations - and, of course, demands for payment. There is no such thing as double jeopardy where regulators are concerned: a success by one opens the door to others.

The reality of the CBA case is that the type of offence and its scale are, in the great scheme of things, nothing special. After all, tens of thousands of completed cash transaction reports were found stuffed in cupboards at a Las Vegas casino more than a decade ago and no one made much fuss, although the casino, Las Vegas Sands, did negotiate, almost a decade later, to avoid prosecution by the payment of money to various government bodies.

Media has been scurrying around trying to find evidence that the bank willingly laundered moneys or, worse, conspired to move money that was intended for use in terrorist acts.

The simple thing is this: Australian banks are, generally, not well run. Often major decisions are made by those who have migrated to banking from large consulting companies and decisions are costs driven and, in at least one case, large parts of the operations are outsourced to consulting companies which have no direct involvement with the bank's general operations and which have created administration systems which actively militate against compliance and risk management staff getting the information they want. We can attest to this - one Australian bank has been removed from our own client list because their outsourced purchasing system is too expensive for us to deal with in relation to publications and educational courses. It is a bank that even after Accenture abolished, for internal purposes, its incredibly badly designed and implemented PIP review system continued to use it to "manage out" staff at will and, in some cases, to purport to deny staff the right to a tribunal review of the mismanagement of staff.

For these bean counters, money laundering compliance and risk management is a cost to be at least minimised and ideally avoided.

The CBA case is not an indictment of CBA alone. Nor is it an indictment of the Australian banks nor even the Australian regulated sector in isolation. It is an indictment of the fact that banks and other regulated businesses, all over the world, simply do not take regulation and, even, criminal conduct sufficiently seriously and that boards do not consider it a part of their core function. Even where periodic reports are required to be filed by e.g. MLROs, the boards rarely go behind the numbers presented, especially if to do so might open a conversation in which a demand for more budget is likely.

For the CEO to fall on his sword after the CBA revaluations is not a solution. What is needed is for CEOs to understand that there are regulatory and criminal sanctions for failing to comply with law and regulations and that those sanctions apply to both the company and to the board, including non-executive directors. They must understand that the compliance and risk functions are not ring-fenced by appointing a Director of Compliance and Financial Crime Risk, or some-such. There is a clear duty on all directors, regardless of title and seniority, to actively manage the company and that includes all subsidiaries wherever they are located.

It is not enough to point to senior staff and say "we paid for them to get qualifications" because no one officially approves any such qualifications : they are all the product of unregulated private corporations, regardless of the grand name they print at the top. And the fact that a handful of such dominates the training and certification industry is not a guarantee of quality nor, even, of the broader education that is required to properly perform duties.

One only has to look at the material published on LinkedIn by those claiming qualifications of one sort or another to see that it is superficial and buzzword driven and that the ability to, essentially, cut and paste features more than comprehension.

This is a highly material point: it has long been said that an expert is someone who knows even a little more than you. And in the highly (and unnecessarily) complex world of money laundering, etc. compliance and risk management as boards know little, even those who toss around the current buzzwords seem to be expert.

As regulators around the world look at CBA's systems and controls, the question of competence and capability of "certificated" or "certified" money laundering risk management and compliance staff must become a live issue: the certification companies have now reached such a high-level of market penetration that regulators have no choice, if they do their jobs properly: why, if the certifications are seen as a measure of competence and capability, are there so many failures? Are they fit for purpose?

We are now past the excitement point of the CBA news cycle. We are now into the grind where specialist media will pick up on the progress of investigations and general media will pick up on court, etc. reports or stage-managed "perp-walks" for officers of US branches, if they can find anything to justify attacking another foreign bank.

In two or three years, we will see some regulatory action. We will almost certainly see no individual in the criminal court dock. Similarly, we will almost certainly see no significant sanction, other than a monetary penalty, to bribe authorities not to commence or continue criminal proceedings.

That's not a pity, it's a shame, in the true sense of the word. The world will keep on turning and nothing will change. The media will move on to the next big thing which, in Australia, is usually a minor political scandal which results in the prime minister being replaced with someone equally ineffectual. Outside Australia, the financial world will look and say "oh, well, it's just a little local bank on the other side of the world. Nothing to see here."

And when that happens, there is only one group to blame: regulators who don't have the courage or competence to ensure that regulated businesses do the best job possible and police sensible regulations, rather then constantly revise and add to regulations that are already so bloated and complex that they are not fit for purpose.

---------------------------------------------------------------------------

Understanding suspicion in Financial Crime.

– why people do not report suspicious transactions –

Seminar

Hong Kong September 2017, Sydney and Melbourne, October 2017.

www.financialcrimeforum.com

Professional bodies, government departments, regulators and companies may organise this seminar in-house.

www.countermoneylaundering.com

---------------------------------------------------------------------------------